[Webinar] Streamline your web hosting managementRegister Today


Windows 2003 user password problem

Posted on 2006-06-29
Medium Priority
Last Modified: 2008-08-18
We have some users that are in remote offices connected via a VPN client (cisco). I've noticed that they will get their 60 day domain password change notice, and once t hey do that, it seems that their machine password doesn't sync, and the password is completely off.

Is there a certain way everyone deals with this?
Question by:shankshank

Expert Comment

ID: 17013093
Passwords fail to synchronize in a Windows domain, seemingly at random

Cause:  Password Synchronization is not configured identically on all domain controllers in the domain. As a result, if a nonconforming domain controller accepts a user's password change, it might not be able to change the password on UNIX computers.

Solution:  Ensure that Password Synchronization is configured identically on all domain controllers, particularly host settings and default settings for encryption keys and ports.

source: http://technet2.microsoft.com/WindowsServer/en/Library/7f960d32-96ff-474a-8556-528836731e8e1033.mspx?mfr=true

Author Comment

ID: 17013143
That's not it since we can change while physically on the network with no problem

its the vpn that screws up


Accepted Solution

napoleon41 earned 672 total points
ID: 17014093
Are the remote computers members of the domain?  We had some problem with profiles and various mapping/logon scripts until we remove the remote computers from the domain.  Granted, a lot more stuff has to be configured manually, but we have small group of people working remotely (transcriptionists mostely).  

Now, we hook our users up with our SSL vpn gateway and have then rdp onto a terminal server.  Bye, bye remote issues.  Just food for thought. (http://www.sslexplorer.com            note:  they have a free edition because they built it on linux.  I love open source).
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.


Assisted Solution

engineer_dell earned 664 total points
ID: 17014566
Two things I would try, first look for any cached passwords relating to your server on their remote machine.
Control Panel --> Users --> Advanced --> Manage passwords

Also you may want to edit the host and the lmhost files so that they have entries for your server.

A VPN router running Windows Server 2003 supports the logging of authentication and accounting information for VPN connections in local logging files when Windows authentication or Windows accounting is enabled. This logging is separate from the events recorded in the system event log. You can use the information that is logged to track site-to-site connection usage and authentication attempts. Authentication and accounting logging is especially useful for troubleshooting remote access policy issues. For each authentication attempt, the name of the remote access policy that either accepted or rejected the connection attempt is recorded.

The authentication and accounting information is stored in a configurable log file or files stored in the SystemRoot\System32\LogFiles folder. The log files are saved in Internet Authentication Service (IAS) or database-compatible format, meaning that any database program can read the log file directly for analysis.

If the VPN router is configured for RADIUS authentication and accounting and the RADIUS server is a computer running Windows Server 2003 and IAS, the authentication and accounting logs are stored in the SystemRoot\System32\LogFiles folder on the IAS server computer.


Assisted Solution

ssmith764 earned 664 total points
ID: 17071920

I may be barking up the wrong tree here but is the VPN a permanent connection from the remote office or do the users start the connection from their machines? The reason I ask is if the users are not actually logging in to the domain but are logging in to their machine with cached credentials and THEN starting the vpn connection, when they change their passwords over the vpn the cached password on their machine will not be changed.

Expert Comment

ID: 17073429
That's good thinking ssmith764.  I have never actually used the VPN "client" in a situation where the remote computer is a member of the domain.  Computers using the VPN client are not members of the domain.

All of our full-time remote users are LAN-to-LAN where they are on a permanent tunnel with a router/pix501 at their house to provide the tunneling to the concentrator on site.  To those computers, the VPN is transparent and they might as well be jacked into a switch on site.  Computer/User security policies are slower (their login time slower), but everything else works fine.

Obviously that requires some ACL rules to prevent their Internet traffic from pulling through the VPN, and for security issues, we have chosen to deny their "company provided computer" from accessing the Internet.  We have, though, setup rules to give their personal computer(s) access to the Internet and deny them from the VPN.  Usually this is done by giving the company computer a static IP address and then providing a DHCP pool for their personal computers.

Security, security, security.


Author Comment

ID: 17266244
Smith: The vpn connection is not a permanent connection, but a vpn client run after the user logs in.
napoleon: I am curious on your topic of the router/pix501 setup, and not having the users ability to access the net through vpn. I wouldn't mind implementing a setup like that for me so that these vpn clients can access our network fine, but internet traffic goes through their cable modem or isp instead of through the vpn


Expert Comment

ID: 17266933
Basically, there is a pix501 (or a soho) router at their house that is the first device in the chain from their Internet connection.  The Pix controlls the Internet connection and access, and maintains a more or less permanent VPN connection with the Cisco Concentrator (used to use a PIX though) at the hospital.  This type of connection is called a Lan-to-Lan VPN.

The pix501 hands out a dhcp address, subnet mask, and default gateway to them and contains routing information.  

Hospital Network -
Remote user's home network -

For security and functions, we configure various ACL's (access control lists) and/or routing statement that direct the user's traffic.  If the destination is a 172.16 address, the 501 forwards the traffic down the VPN.  Any Internet traffic is sent out their Internet connection (and not the hospitals), and any local traffic is kept in their local network (printer, home network, XBOX, etc . . . ).  Usually, we statically assign their "company computer's" IP address and only allow that station access to the VPN.  

All of our VPN's use IPSEC, but with Cisco devices, you can pretty much do anything you want.

Diagrams and descriptions of how to setup to PIX firewalls for a LAN-to-LAN VPN using the PDM (gui) interface.  It covers the basics without getting into the command line cisco.  I have found it difficult to use only the PDM, though, and end up doing most of my configurations of ANY major network device through the command line interface.  But, hey!  This one has pictures.  Ha!

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension . This reminded me of questions that come up here at EE along the lines of, "How can I tell the type of file from its cont…
In this tutorial, we’re going to learn how to convert Youtube to mp3 for Free. We'll show you how easy it is to make an mp3 from your video clips so that you can enjoy them offline.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question